Class: Conjur::Policy::Planner::Deny

Inherits:
Base show all
Defined in:
lib/conjur/policy/planner/permissions.rb

Overview

Plans a permission denial.

A Deny statement is generated if the permission is currently held. Otherwise, its a nop.

Instance Attribute Summary

Attributes inherited from Base

#api, #plan, #record

Instance Method Summary collapse

Methods inherited from Base

#account, #action, #create_record, #error, #initialize, #log, #record_type, #resource, #resource_exists?, #role, #role_exists?, #role_record, #update_record

Methods included from Logger

included

Constructor Details

This class inherits a constructor from Conjur::Policy::Planner::Base

Instance Method Details

#do_planObject 



55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
 
# File 'lib/conjur/policy/planner/permissions.rb', line 55

def do_plan
  facts = PrivilegeFacts.new self
  
  # Load all the permissions as both requested and existing grants.
  # Then remove the Deny record, and see what's left.
  privileges = Array(record.privileges)
  Array(record.resources).each do |resource|
    facts.resource_permissions(resource, privileges) do |permission|
      permit_record = Types::Permit.new
      permit_record.role = Types::Role.new(permission['role'])
      permit_record.role.admin = permission['grant_option']
      permit_record.privilege = permission['privilege']
      permit_record.resource = Types::Resource.new(permission['resource'])
      facts.add_requested_permission permit_record
      
      facts.add_existing_permission permission
    end
  end
    
  facts.remove_revoked_permission record
  
  facts.validate!
  
  facts.grants_to_revoke.each do |grant|
    role, privilege, resource = grant
    deny = Conjur::Policy::Types::Deny.new
    deny.resource = resource_record resource
    deny.privilege = privilege
    deny.role = role_record(role)
    action deny
  end
end